{{- define "operator_trivy_server_resources" }}
cpu: 50m
memory: 50Mi
{{- end }}

{{- if (.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
---
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
  name: server
  namespace: d8-{{ .Chart.Name }}
  {{- include "helm_lib_module_labels" (list . (dict "app" "trivy-server")) | nindent 2 }}
spec:
  targetRef:
    apiVersion: "apps/v1"
    kind: StatefulSet
    name: trivy-server
  updatePolicy:
    updateMode: "Auto"
  resourcePolicy:
    containerPolicies:
    - containerName: server
      minAllowed:
        {{- include "operator_trivy_server_resources" . | nindent 8 }}
      maxAllowed:
        cpu: 100m
        memory: 100Mi
{{- end }}

---
apiVersion: v1
kind: Service
metadata:
  name: trivy-server
  namespace: d8-{{ .Chart.Name }}
  {{- include "helm_lib_module_labels" (list . (dict "app" .Chart.Name  "instance" "trivy-server" "name" "trivy-server")) | nindent 2 }}
spec:
  type: ClusterIP
  selector:
    app: {{ .Chart.Name }}
    name: trivy-server
    instance: trivy-server
  ports:
    - name: trivy-http
      protocol: TCP
      port: 4954
      targetPort: 4954
  sessionAffinity: ClientIP

---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: trivy-server
  namespace: d8-{{ .Chart.Name }}
  {{- include "helm_lib_module_labels" (list . (dict "app" .Chart.Name  "instance" "trivy-server" "name" "trivy-server")) | nindent 2 }}
spec:
  podManagementPolicy: "Parallel"
  serviceName: trivy-server
  replicas: 1
  selector:
    matchLabels:
      app: {{ .Chart.Name }}
      name: trivy-server
      instance: trivy-server
  template:
    metadata:
      annotations:
        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
      {{- include "helm_lib_module_labels" (list . (dict "app" .Chart.Name  "instance" "trivy-server" "name" "trivy-server")) | nindent 6 }}
    spec:
      imagePullSecrets:
      - name: deckhouse-registry
      serviceAccountName: operator-trivy
      automountServiceAccountToken: false
      {{- include "helm_lib_node_selector" (tuple . "system") | nindent 6 }}
      {{- include "helm_lib_tolerations" (tuple . "system") | nindent 6 }}
      {{- include "helm_lib_priority_class" (tuple . "cluster-low") | nindent 6 }}
      {{- include "helm_lib_module_pod_security_context_run_as_user_nobody_with_writable_fs" . | nindent 6 }}
      containers:
        - name: server
          {{- include "helm_lib_module_container_security_context_capabilities_drop_all_and_add"  (list . (list)) | nindent 10 }}
          image: {{ include "helm_lib_module_image" (list . "trivy") }}
          args:
            - server
          envFrom:
            - configMapRef:
                name: trivy-operator-trivy-config
          ports:
            - name: trivy-http
              containerPort: 4954
          livenessProbe:
            httpGet:
              scheme: HTTP
              path: /healthz
              port: trivy-http
            initialDelaySeconds: 5
            periodSeconds: 10
            successThreshold: 1
            failureThreshold: 10
          readinessProbe:
            httpGet:
              scheme: HTTP
              path: /healthz
              port: trivy-http
            initialDelaySeconds: 5
            periodSeconds: 10
            successThreshold: 1
            failureThreshold: 3
          volumeMounts:
            - mountPath: /tmp
              name: tmp-data
              readOnly: false
            - mountPath: /home/scanner/.cache
              name: data
              readOnly: false
            - mountPath: /.docker
              name: docker-config
              readOnly: true
          resources:
            requests:
            {{- include "helm_lib_module_ephemeral_storage_only_logs" . | nindent 14 }}
{{- if not ( .Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
            {{- include "operator_trivy_server_resources" . | nindent 14 }}
{{- end }}
      volumes:
        - name: tmp-data
          emptyDir: {}
        - name: docker-config
          secret:
            defaultMode: 420
            items:
            - key: .dockerconfigjson
              path: config.json
            secretName: deckhouse-registry
{{- $storageClass := .Values.operatorTrivy | dig "internal" "effectiveStorageClass" false }}
{{- if $storageClass }}
  volumeClaimTemplates:
    - metadata:
        name: data
      spec:
        accessModes: ["ReadWriteOnce"]
        storageClassName: {{ $storageClass }}
        resources:
          requests:
            storage: 5Gi
{{- else }}
        - name: data
          emptyDir: {}
{{- end }}
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: trivy-server
  namespace: d8-{{ .Chart.Name }}
  {{- include "helm_lib_module_labels" (list . (dict "app" .Chart.Name  "instance" "trivy-server" "name" "trivy-server")) | nindent 2 }}
spec:
  minAvailable: 0
  selector:
    matchLabels:
      app: {{ .Chart.Name }}
      instance: trivy-server
      name: trivy-server
